Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: github issues

Project: test

Scan Information (show all):

Summary

Display: Showing Vulnerable Dependencies (click to show all)

DependencyVulnerability IDsPackageHighest SeverityCVE CountConfidenceEvidence Count
US_export_policy.jar 04
activation-1.1.jarpkg:maven/javax.activation/activation@1.1 031
animal-sniffer-annotations-1.17.jarpkg:maven/org.codehaus.mojo/animal-sniffer-annotations@1.17 024
asm-3.1.jarpkg:maven/asm/asm@3.1 022
charsets.jar 09
checker-compat-qual-2.5.2.jarpkg:maven/org.checkerframework/checker-compat-qual@2.5.2 025
cldrdata.jar 010
commons-io-1.3.2.jarpkg:maven/commons-io/commons-io@1.3.2 029
commons-lang3-3.2.1.jarpkg:maven/org.apache.commons/commons-lang3@3.2.1 037
dnsns.jar 09
error_prone_annotations-2.2.0.jarpkg:maven/com.google.errorprone/error_prone_annotations@2.2.0 025
failureaccess-1.0.1.jarpkg:maven/com.google.guava/failureaccess@1.0.1 031
guava-27.0.1-android.jarpkg:maven/com.google.guava/guava@27.0.1-androidLOW126
j2objc-annotations-1.1.jarpkg:maven/com.google.j2objc/j2objc-annotations@1.1 023
jaccess.jar 09
jackson-annotations-2.9.10.jarpkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.9.10 043
jackson-core-2.9.10.jarpkg:maven/com.fasterxml.jackson.core/jackson-core@2.9.10 048
jackson-core-asl-1.9.2.jarpkg:maven/org.codehaus.jackson/jackson-core-asl@1.9.2 035
jackson-databind-2.9.10.jarpkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10CRITICAL3942
jackson-dataformat-yaml-2.9.10.jarpkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml@2.9.10 042
jackson-jaxrs-1.9.2.jarpkg:maven/org.codehaus.jackson/jackson-jaxrs@1.9.2 037
jackson-jaxrs-base-2.9.10.jarpkg:maven/com.fasterxml.jackson.jaxrs/jackson-jaxrs-base@2.9.10 038
jackson-jaxrs-json-provider-2.9.10.jarpkg:maven/com.fasterxml.jackson.jaxrs/jackson-jaxrs-json-provider@2.9.10 040
jackson-mapper-asl-1.9.2.jarpkg:maven/org.codehaus.jackson/jackson-mapper-asl@1.9.2CRITICAL1135
jackson-module-jaxb-annotations-2.9.10.jarpkg:maven/com.fasterxml.jackson.module/jackson-module-jaxb-annotations@2.9.10 042
jackson-xc-1.9.2.jarpkg:maven/org.codehaus.jackson/jackson-xc@1.9.2 037
javassist-3.21.0-GA.jarpkg:maven/org.javassist/javassist@3.21.0-GA 025
jaxb-api-2.2.2.jarpkg:maven/javax.xml.bind/jaxb-api@2.2.2 035
jaxb-impl-2.2.3-1.jarpkg:maven/com.sun.xml.bind/jaxb-impl@2.2.3-1 039
jce.jar 019
jersey-core-1.13.jarpkg:maven/com.sun.jersey/jersey-core@1.13 030
jersey-json-1.13.jarpkg:maven/com.sun.jersey/jersey-json@1.13 030
jersey-multipart-1.13.jarpkg:maven/com.sun.jersey.contribs/jersey-multipart@1.13 030
jersey-server-1.13.jarpkg:maven/com.sun.jersey/jersey-server@1.13 030
jersey-servlet-1.13.jarpkg:maven/com.sun.jersey/jersey-servlet@1.13 028
jettison-1.1.jarpkg:maven/org.codehaus.jettison/jettison@1.1 022
jetty-runner.jarpkg:maven/org.eclipse.jetty/jetty-runner@9.2.9.v20150224 029
jetty-runner.jar (shaded: javax.annotation:javax.annotation-api:1.2)pkg:maven/javax.annotation/javax.annotation-api@1.2 018
jetty-runner.jar (shaded: javax.servlet.jsp:javax.servlet.jsp-api:2.3.1)pkg:maven/javax.servlet.jsp/javax.servlet.jsp-api@2.3.1 018
jetty-runner.jar (shaded: javax.servlet:javax.servlet-api:3.1.0)pkg:maven/javax.servlet/javax.servlet-api@3.1.0 018
jetty-runner.jar (shaded: org.eclipse.jetty.toolchain:jetty-schemas:3.1.M0)pkg:maven/org.eclipse.jetty.toolchain/jetty-schemas@3.1.M0 012
jetty-runner.jar (shaded: org.eclipse.jetty.websocket:websocket-api:9.2.9.v20150224)pkg:maven/org.eclipse.jetty.websocket/websocket-api@9.2.9.v20150224 011
jetty-runner.jar (shaded: org.eclipse.jetty.websocket:websocket-client:9.2.9.v20150224)pkg:maven/org.eclipse.jetty.websocket/websocket-client@9.2.9.v20150224 011
jetty-runner.jar (shaded: org.eclipse.jetty.websocket:websocket-common:9.2.9.v20150224)pkg:maven/org.eclipse.jetty.websocket/websocket-common@9.2.9.v20150224 011
jetty-runner.jar (shaded: org.eclipse.jetty.websocket:websocket-server:9.2.9.v20150224)pkg:maven/org.eclipse.jetty.websocket/websocket-server@9.2.9.v20150224CRITICAL1011
jetty-runner.jar (shaded: org.eclipse.jetty.websocket:websocket-servlet:9.2.9.v20150224)pkg:maven/org.eclipse.jetty.websocket/websocket-servlet@9.2.9.v20150224 011
jetty-runner.jar (shaded: org.eclipse.jetty:jetty-annotations:9.2.9.v20150224)pkg:maven/org.eclipse.jetty/jetty-annotations@9.2.9.v20150224 013
jetty-runner.jar (shaded: org.eclipse.jetty:jetty-http:9.2.9.v20150224)pkg:maven/org.eclipse.jetty/jetty-http@9.2.9.v20150224CRITICAL913
jetty-runner.jar (shaded: org.eclipse.jetty:jetty-io:9.2.9.v20150224)pkg:maven/org.eclipse.jetty/jetty-io@9.2.9.v20150224 013
jetty-runner.jar (shaded: org.eclipse.jetty:jetty-jaas:9.2.9.v20150224)pkg:maven/org.eclipse.jetty/jetty-jaas@9.2.9.v20150224 011
jetty-runner.jar (shaded: org.eclipse.jetty:jetty-jndi:9.2.9.v20150224)pkg:maven/org.eclipse.jetty/jetty-jndi@9.2.9.v20150224 013
jetty-runner.jar (shaded: org.eclipse.jetty:jetty-jsp:9.2.9.v20150224)pkg:maven/org.eclipse.jetty/jetty-jsp@9.2.9.v20150224 013
jetty-runner.jar (shaded: org.eclipse.jetty:jetty-plus:9.2.9.v20150224)pkg:maven/org.eclipse.jetty/jetty-plus@9.2.9.v20150224CRITICAL913
jetty-runner.jar (shaded: org.eclipse.jetty:jetty-security:9.2.9.v20150224)pkg:maven/org.eclipse.jetty/jetty-security@9.2.9.v20150224 013
jetty-runner.jar (shaded: org.eclipse.jetty:jetty-server:9.2.9.v20150224)pkg:maven/org.eclipse.jetty/jetty-server@9.2.9.v20150224CRITICAL913
jetty-runner.jar (shaded: org.eclipse.jetty:jetty-servlet:9.2.9.v20150224)pkg:maven/org.eclipse.jetty/jetty-servlet@9.2.9.v20150224 013
jetty-runner.jar (shaded: org.eclipse.jetty:jetty-util:9.2.9.v20150224)pkg:maven/org.eclipse.jetty/jetty-util@9.2.9.v20150224 013
jetty-runner.jar (shaded: org.eclipse.jetty:jetty-webapp:9.2.9.v20150224)pkg:maven/org.eclipse.jetty/jetty-webapp@9.2.9.v20150224 013
jetty-runner.jar (shaded: org.eclipse.jetty:jetty-xml:9.2.9.v20150224)pkg:maven/org.eclipse.jetty/jetty-xml@9.2.9.v20150224 013
jetty-runner.jar (shaded: org.glassfish.web:javax.servlet.jsp.jstl:1.2.2)pkg:maven/org.glassfish.web/javax.servlet.jsp.jstl@1.2.2 018
jetty-runner.jar (shaded: org.glassfish.web:javax.servlet.jsp:2.3.2)pkg:maven/org.glassfish.web/javax.servlet.jsp@2.3.2 018
jetty-runner.jar (shaded: org.glassfish:javax.el:3.0.0)pkg:maven/org.glassfish/javax.el@3.0.0 018
jsr305-3.0.2.jarpkg:maven/com.google.code.findbugs/jsr305@3.0.2 016
jsr311-api-1.1.1.jarpkg:maven/javax.ws.rs/jsr311-api@1.1.1 035
jsse.jar 013
listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jarpkg:maven/com.google.guava/listenablefuture@9999.0-empty-to-avoid-conflict-with-guava 014
local_policy.jar 04
local_policy.jar 04
localedata.jar 08
logback-classic-1.0.1.jarpkg:maven/ch.qos.logback/logback-classic@1.0.1CRITICAL132
logback-core-1.0.1.jarpkg:maven/ch.qos.logback/logback-core@1.0.1CRITICAL132
management-agent.jar 02
mimepull-1.6.jarpkg:maven/org.jvnet/mimepull@1.6 024
nashorn.jar 011
reflections-0.9.11.jarpkg:maven/org.reflections/reflections@0.9.11 020
resources.jar 07
rt.jar 014
servlet-api-2.5.jarpkg:maven/javax.servlet/servlet-api@2.5
pkg:maven/org.zenframework.z8.dependencies.servlet/servlet-api-2.5@2.0
 035
slf4j-api-1.6.4.jarpkg:maven/org.slf4j/slf4j-api@1.6.4 026
snakeyaml-1.23.jarpkg:maven/org.yaml/snakeyaml@1.23HIGH125
stax-api-1.0-2.jarpkg:maven/javax.xml.stream/stax-api@1.0-2 017
stax-api-1.0.1.jarpkg:maven/stax/stax-api@1.0.1 025
sunec.jar 018
sunjce_provider.jar 020
sunpkcs11.jar 020
swagger-annotations-1.5.24.jarpkg:maven/io.swagger/swagger-annotations@1.5.24 030
swagger-core-1.5.24.jarpkg:maven/io.swagger/swagger-core@1.5.24 030
swagger-jaxrs-1.5.24.jarpkg:maven/io.swagger/swagger-jaxrs@1.5.24 029
swagger-jersey-jaxrs-1.5.24.jarpkg:maven/io.swagger/swagger-jersey-jaxrs@1.5.24 023
swagger-models-1.5.24.jarpkg:maven/io.swagger/swagger-models@1.5.24 029
validation-api-1.1.0.Final.jarpkg:maven/javax.validation/validation-api@1.1.0.Final 019
zipfs.jar 013

Dependencies

US_export_policy.jar

File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/security/policy/unlimited/US_export_policy.jar
MD5: cee2524fdbae6b2cbbd93899daf986d8
SHA1: c43a0598da5ad5349e04f9a130611b5e890f5acb
SHA256:f73813f3e2c3370c8b7adfaf85bede99441930aef30adb3e8009a451acb768dc

Identifiers

  • None

activation-1.1.jar

Description:

    JavaBeans Activation Framework (JAF) is a standard extension to the Java platform that lets you take advantage of standard services to: determine the type of an arbitrary piece of data; encapsulate access to it; discover the operations available on it; and instantiate the appropriate bean to perform the operation(s).
  

License:

Common Development and Distribution License (CDDL) v1.0: https://glassfish.dev.java.net/public/CDDLv1.0.html
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/activation-1.1.jar
MD5: 8ae38e87cd4f86059c0294a8fe3e0b18
SHA1: e6cb541461c2834bdea3eb920f1884d1eb508b50
SHA256:2881c79c9d6ef01c58e62beea13e9d1ac8b8baa16f2fc198ad6e6776defdcdd3

Identifiers

animal-sniffer-annotations-1.17.jar

File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/animal-sniffer-annotations-1.17.jar
MD5: 7ca108b790cf6ab5dbf5422cc79f0d89
SHA1: f97ce6decaea32b36101e37979f8b647f00681fb
SHA256:92654f493ecfec52082e76354f0ebf87648dc3d5cec2e3c3cdb947c016747a53

Identifiers

asm-3.1.jar

File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/asm-3.1.jar
MD5: b9b8d2d556f9458aac8c463fd511f86d
SHA1: c157def142714c544bdea2e6144645702adf7097
SHA256:333ff5369043975b7e031b8b27206937441854738e038c1f47f98d072a20437a

Identifiers

charsets.jar

File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/charsets.jar
MD5: 6fcfadd087db54d9794bda958bee5c80
SHA1: ccd631d58958a23697d8d7c6564f4f0438aaee85
SHA256:507b86f7e8aecc568784730d97d955d09bf3850610396b47a856d464a91d63a1

Identifiers

  • None

checker-compat-qual-2.5.2.jar

Description:

        Checker Qual is the set of annotations (qualifiers) and supporting classes
        used by the Checker Framework to type check Java source code.  Please
        see artifact:
        org.checkerframework:checker
    

License:

GNU General Public License, version 2 (GPL2), with the classpath exception: http://www.gnu.org/software/classpath/license.html
The MIT License: http://opensource.org/licenses/MIT
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/checker-compat-qual-2.5.2.jar
MD5: a3b4198798f8b9a84598c89d193d1161
SHA1: dc0b20906c9e4b9724af29d11604efa574066892
SHA256:d7291cebf5e158d169807ae49d4b16ff672986f0c6d803e5f207c40cb61ef982

Identifiers

cldrdata.jar

File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/ext/cldrdata.jar
MD5: bd5a47224ddae1b3a485d1c5f80c48e4
SHA1: af51a9fd2afa905f6f2fbd5524f020dd0ac2ef4d
SHA256:bda2b83acbe87010b2f83f782d12823bc1c337e318b77cbf26965407292e9049

Identifiers

  • None

commons-io-1.3.2.jar

Description:

        Commons-IO contains utility classes, stream implementations, file filters, and endian classes.
  

File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/commons-io-1.3.2.jar
MD5: 903c04d1fb5d4dc81d95e4be93ff7ecd
SHA1: b6dde38349ba9bb5e6ea6320531eae969985dae5
SHA256:551c13e49dab32aebdb7a70ec9c2767372e58864ae115ef389582e548cffee38

Identifiers

commons-lang3-3.2.1.jar

Description:

  Apache Commons Lang, a package of Java utility classes for the
  classes that are in java.lang's hierarchy, or are considered to be so
  standard as to justify existence in java.lang.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/commons-lang3-3.2.1.jar
MD5: 7fc4221e7e3a05d8052d3fbb34fb0a5a
SHA1: 66f13681add50ca9e4546ffabafaaac7645db3cf
SHA256:8024c2503bf83efa7dff153fe024c1624f5f756be0ec5fc11c856fe420864d26

Identifiers

dnsns.jar

File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/ext/dnsns.jar
MD5: 1eba6d5b556726c89df7011e5aaf2fde
SHA1: e84272f3d7d4f6260eca93238a67f67d982c4c1a
SHA256:bb77da6338dada3a05aedb7dbb57dcfa3750d237149b20fceb1e5af952cfec70

Identifiers

  • None

error_prone_annotations-2.2.0.jar

License:

Apache 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/error_prone_annotations-2.2.0.jar
MD5: 416757b9e6ba0563368ab59e668b3225
SHA1: 88e3c593e9b3586e1c6177f89267da6fc6986f0c
SHA256:6ebd22ca1b9d8ec06d41de8d64e0596981d9607b42035f9ed374f9de271a481a

Identifiers

failureaccess-1.0.1.jar

Description:

    Contains
    com.google.common.util.concurrent.internal.InternalFutureFailureAccess and
    InternalFutures. Most users will never need to use this artifact. Its
    classes is conceptually a part of Guava, but they're in this separate
    artifact so that Android libraries can use them without pulling in all of
    Guava (just as they can use ListenableFuture by depending on the
    listenablefuture artifact).
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/failureaccess-1.0.1.jar
MD5: 091883993ef5bfa91da01dcc8fc52236
SHA1: 1dcf1de382a0bf95a3d8b0849546c88bac1292c9
SHA256:a171ee4c734dd2da837e4b16be9df4661afab72a41adaf31eb84dfdaf936ca26

Identifiers

guava-27.0.1-android.jar

Description:

    Guava is a suite of core and expanded libraries that include
    utility classes, google's collections, io classes, and much
    much more.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/guava-27.0.1-android.jar
MD5: d0e0e5df992425f93fdeb1fe235cc229
SHA1: b7e1c37f66ef193796ccd7ea6e80c2b05426182d
SHA256:caf0955aed29a1e6d149f85cfb625a89161b5cf88e0e246552b7ffa358204e28

Identifiers

CVE-2020-8908 (OSSINDEX)  

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
CVSSv3:
  • Base Score: LOW (3.3)
  • Vector: CVSS:/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.google.guava:guava:27.0.1-android:*:*:*:*:*:*:*

j2objc-annotations-1.1.jar

Description:

    A set of annotations that provide additional information to the J2ObjC
    translator to modify the result of translation.
  

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/j2objc-annotations-1.1.jar
MD5: 49ae3204bb0bb9b2ac77062641f4a6d7
SHA1: ed28ded51a8b1c6b112568def5f4b455e6809019
SHA256:2994a7eb78f2710bd3d3bfb639b2c94e219cedac0d4d084d516e78c16dddecf6

Identifiers

jaccess.jar

File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/ext/jaccess.jar
MD5: b488ebcc7b90d48362dd0ff73df98e4a
SHA1: 699a7ac1b2845d9f61fa6a7523099f64bd062cab
SHA256:0f4035baa79e3c8d72cbe21473de172c1feb9481ddd4ed76bdc0c03b78e3596b

Identifiers

  • None

jackson-annotations-2.9.10.jar

Description:

Core annotations used for value types, used by Jackson data binding package.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jackson-annotations-2.9.10.jar
MD5: 26c2b6f7bc704ccadc64c83995e0ff7f
SHA1: 53ab2f0f92e87ea4874c8c6997335c211d81e636
SHA256:c876f2e85d0f108a34cdd11ccc9d8d7875697367efc75bf10a89c2c26aee994c

Identifiers

jackson-core-2.9.10.jar

Description:

Core Jackson processing abstractions (aka Streaming API), implementation for JSON

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jackson-core-2.9.10.jar
MD5: d62d9b1d1d83dd553e678bc8fce8f809
SHA1: 66b715dec9dd8b0f39f3296e67e05913bf422d0c
SHA256:65fe26d7554a4409652c86ee38f2e94bc42934326d88b3c78c61f66ff2222c53

Identifiers

jackson-core-asl-1.9.2.jar

Description:

Jackson is a high-performance JSON processor (parser, generator)

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jackson-core-asl-1.9.2.jar
MD5: 3a569b4b918f23392e63028b896cb9c4
SHA1: 8493982bba1727106d767034bd0d8e77bc1931a9
SHA256:ce1e6476ef99566f90706045be5e190769fc60d8ba2fd2c3b54c905775240148

Identifiers

jackson-databind-2.9.10.jar

Description:

General data-binding functionality for Jackson: works on core streaming API

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jackson-databind-2.9.10.jar
MD5: ff43d79c624b0f7d465542fee6648474
SHA1: e201bb70b7469ba18dd58ed8268aa44e702fa2f0
SHA256:49bb71a73fcdcdf59c40a1a01d7245f41d3a8ba96ea6182b720f0c6167241757

Identifiers

CVE-2019-16942 (OSSINDEX)  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2019-16943 (OSSINDEX)  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2019-17531 (OSSINDEX)  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2019-20330 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2020-10672 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2020-10673 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2020-10968 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2020-10969 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2020-11111 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2020-11112 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2020-11113 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).
CVSSv3:
  • Base Score: HIGH (8.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2020-11619 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2020-11620 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2020-14060 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2020-14061 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2020-14062 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2020-14195 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2020-24616 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2020-24750 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2020-25649 (OSSINDEX)  

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2020-35490 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2020-35491 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2020-35728 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2020-36179 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2020-36180 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2020-36181 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2020-36182 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2020-36183 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2020-36184 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2020-36185 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2020-36186 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2020-36187 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2020-36188 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2020-36189 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2020-8840 (OSSINDEX)  

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2020-9546 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2020-9547 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2020-9548 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

CVE-2021-20190 (OSSINDEX)  

A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.9.10:*:*:*:*:*:*:*

jackson-dataformat-yaml-2.9.10.jar

Description:

Support for reading and writing YAML-encoded data via Jackson abstractions.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jackson-dataformat-yaml-2.9.10.jar
MD5: ebecc5b67b96874c08068151fd89d0b5
SHA1: 561275877edf6321692f29e66ae5ccc7b1664939
SHA256:338e27fd71a825c948c98a2a3fedd79bd14e6c7bcc9b6d21fd8b17abfd28bcc0

Identifiers

jackson-jaxrs-1.9.2.jar

Description:

Jax-RS provider for JSON content type, based on 
Jackson JSON processor's data binding functionality.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
GNU Lesser General Public License (LGPL), Version 2.1: http://www.fsf.org/licensing/licenses/lgpl.txt
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jackson-jaxrs-1.9.2.jar
MD5: 98fad059e87a847a1ef8e2d278b17e74
SHA1: aedf43f1d5005561e531b6bf0d067e4d20f58aba
SHA256:99c3cb687c2d1c458c34bc582f22bb34e8ee12eba532df47b849454aa2fd7092

Identifiers

jackson-jaxrs-base-2.9.10.jar

Description:

Pile of code that is shared by all Jackson-based JAX-RS
providers.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jackson-jaxrs-base-2.9.10.jar
MD5: 3dde182860e6f59fea3871880b1875b9
SHA1: 8f13207626ffab14943da9e7447dc065f7762a4e
SHA256:4a76bd0d1f5f66293867bb9e021bcf8ba179bdd69cf69852d623204297fe85eb

Identifiers

jackson-jaxrs-json-provider-2.9.10.jar

Description:

Functionality to handle JSON input/output for JAX-RS implementations (like Jersey and RESTeasy) using standard Jackson data binding.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jackson-jaxrs-json-provider-2.9.10.jar
MD5: 5a6659fa62763f65fb7e187dca166346
SHA1: 89a2f5d0adc42c3e37a7167e0759641de55aafdd
SHA256:0fe7309bb8d0fa8f48cd6846bc3a27eef04b0263b6533ac58ef7ad85b1bdf38c

Identifiers

jackson-mapper-asl-1.9.2.jar

Description:

Data Mapper package is a high-performance data binding package
built on Jackson JSON processor

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jackson-mapper-asl-1.9.2.jar
MD5: 246dc2edd781021dce648e59dc839d85
SHA1: 95400a7922ce75383866eb72f6ef4a7897923945
SHA256:438c831bcebfdeaa33602a782fe43a82722aca6287191c3b8de4b308ab82c585

Identifiers

CVE-2017-15095 (OSSINDEX)  

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.2:*:*:*:*:*:*:*

CVE-2017-17485 (OSSINDEX)  

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.2:*:*:*:*:*:*:*

CVE-2017-7525 (OSSINDEX)  

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.2:*:*:*:*:*:*:*

CVE-2018-1000873 (OSSINDEX)  

Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
CVSSv3:
  • Base Score: MEDIUM (6.5)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.2:*:*:*:*:*:*:*

CVE-2018-14718 (OSSINDEX)  

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.2:*:*:*:*:*:*:*

CVE-2018-5968 (OSSINDEX)  

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
CVSSv3:
  • Base Score: HIGH (8.1)
  • Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.2:*:*:*:*:*:*:*

CVE-2018-7489 (OSSINDEX)  

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.2:*:*:*:*:*:*:*

CVE-2019-14540 (OSSINDEX)  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.2:*:*:*:*:*:*:*

CVE-2019-14893 (OSSINDEX)  

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.2:*:*:*:*:*:*:*

CVE-2019-16335 (OSSINDEX)  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.2:*:*:*:*:*:*:*

CVE-2019-17267 (OSSINDEX)  

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.2:*:*:*:*:*:*:*

jackson-module-jaxb-annotations-2.9.10.jar

Description:

Support for using JAXB annotations as an alternative to "native" Jackson annotations, for configuring
data-binding.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jackson-module-jaxb-annotations-2.9.10.jar
MD5: fe4cda4049277f5c8758f32a00f2b633
SHA1: b7fc3212e95586f42a0d3b5cf1311e42a3ac0248
SHA256:72a8ef1246f7a2dc680de67bc5009cc5de71b3825adf98726d290643a36576c0

Identifiers

jackson-xc-1.9.2.jar

Description:

Extensions that provide interoperability support for
Jackson JSON processor's data binding functionality.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
GNU Lesser General Public License (LGPL), Version 2.1: http://www.fsf.org/licensing/licenses/lgpl.txt
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jackson-xc-1.9.2.jar
MD5: d9d4d69e16e45595f0542eb6f2cf1117
SHA1: 437c991a8eb2c8b69ef1dba2eba27fccb9b98448
SHA256:97ddd164678c2705da7b22e9db3110c416b39cdfc50f385d23b586551d76a195

Identifiers

javassist-3.21.0-GA.jar

Description:

  	Javassist (JAVA programming ASSISTant) makes Java bytecode manipulation
    simple.  It is a class library for editing bytecodes in Java.
  

License:

MPL 1.1: http://www.mozilla.org/MPL/MPL-1.1.html
LGPL 2.1: http://www.gnu.org/licenses/lgpl-2.1.html
Apache License 2.0: http://www.apache.org/licenses/
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/javassist-3.21.0-GA.jar
MD5: 3dba2305f842c2891df0a0926e18bcfa
SHA1: 598244f595db5c5fb713731eddbb1c91a58d959b
SHA256:7aa59e031f941984af07dacc6ca85e6dc9bd3a485e9aa2494cbc034efa1225d0

Identifiers

jaxb-api-2.2.2.jar

Description:

    JAXB (JSR 222) API
  

License:

CDDL 1.0: https://glassfish.dev.java.net/public/CDDL+GPL.html
GPL2 w/ CPE: https://glassfish.dev.java.net/public/CDDL+GPL.html
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jaxb-api-2.2.2.jar
MD5: a415e9a322984be1e1f8a023d09dca5f
SHA1: aeb3021ca93dde265796d82015beecdcff95bf09
SHA256:30233df6215fb982d8784de91d307596748cea98d6d502293c7c3e85c1697137

Identifiers

jaxb-impl-2.2.3-1.jar

Description:

JAXB (JSR 222) reference implementation

License:

CDDL 1.1: https://glassfish.java.net/public/CDDL+GPL_1_1.html
GPL2 w/ CPE: https://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jaxb-impl-2.2.3-1.jar
MD5: 1b689e7f87caf2615c0f6a47831d0342
SHA1: 56baae106392040a45a06d4a41099173425da1e6
SHA256:fa3e1499b192c310312bf02881274b68394aaea4c9563e6c554cc406ae644ff8

Identifiers

jce.jar

File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/jce.jar
MD5: b233cb28ac93d59b7fa35d58995b4376
SHA1: 45e38210b8c85d0383b38cd2f2657ef1b57648a7
SHA256:1b38fc441bfa7a416830f9f7654a6f56980aaaf20b9bc4d481063869189bfba8

Identifiers

  • None

jersey-core-1.13.jar

Description:

Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311)        production quality Reference Implementation for building        RESTful Web services.

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jersey-core-1.13.jar
MD5: d5fb9a11eb74b95b6eb47fc55365a255
SHA1: 4326a56dc6b2d67b7313905c353e1af225bb164f
SHA256:d611f1936d330a032a57c18fc8cdf4944800cf8fe4a2e8d2debfff902242304e

Identifiers

jersey-json-1.13.jar

Description:

Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311)        production quality Reference Implementation for building        RESTful Web services.

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jersey-json-1.13.jar
MD5: a09f1ec9f0fa1fde84ba95d06998f13d
SHA1: f7346cce2c0e73afd39e2783c173ee134f79a0f9
SHA256:729e477298d3546f1f27b4baef0d54b93da02d48467a64e49200ab68d16c784a

Identifiers

jersey-multipart-1.13.jar

Description:

Projects that provide additional functionality to jersey, like integration        with other projects/frameworks.

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jersey-multipart-1.13.jar
MD5: 7a5fc0b445bd3ccc8fff4c908380c08e
SHA1: f822011f067556dac3babfaf47d929d3c5d204ef
SHA256:51bf3d0630fe89e4c1121109271f26012ed22a297ca0e41ab7deca949a8ef53c

Identifiers

jersey-server-1.13.jar

Description:

Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311)        production quality Reference Implementation for building        RESTful Web services.

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jersey-server-1.13.jar
MD5: 181c6f4f6ed2ef18d343eda2b0ec34fa
SHA1: a83c83bf51fe532e2226a91110f1a2297711c536
SHA256:c728015f4f5ecd8c625910910dbeaea871f173005676fffb1bef50eada7ab190

Identifiers

jersey-servlet-1.13.jar

Description:

Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311)        production quality Reference Implementation for building        RESTful Web services.

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jersey-servlet-1.13.jar
MD5: 9a2f8370ff92e08c8127d06a9c3ff467
SHA1: 2e45e281002391865525c4bf0e525887dcd22341
SHA256:642ad59c4b91b64eb98e3476adce11806d66ae9d04d0a018cf594e90fe937c95

Identifiers

jettison-1.1.jar

Description:

A StAX implementation for JSON.

File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jettison-1.1.jar
MD5: fc80e0aabd516c54739262c3d618303a
SHA1: 1a01a2a1218fcf9faa2cc2a6ced025bdea687262
SHA256:377940288b0643c48780137f6f68578937e1ea5ca2b73830a820c50a7b7ed801

Identifiers

jetty-runner.jar

File Path: /tmp/image-unpacked/petstore/jetty-runner.jar
MD5: b664fe75238cb4f2b27d86eb14e4c68c
SHA1: c613c860720f2e526fdc6fd2fece7ebf73e4b382
SHA256:ee2257bc2e6b8154580dc9e396663df16c5fa3cbb74b16518e14b00aca130808

Identifiers

jetty-runner.jar (shaded: javax.annotation:javax.annotation-api:1.2)

Description:

Common Annotations for the JavaTM Platform API

License:

CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/javax.annotation/javax.annotation-api/pom.xml
MD5: 11204d5fb5c6aa1ae5948f22a37a2795
SHA1: d90e6c7f83898fe30f83aeaf4d411285f970a433
SHA256:52d73f35f7e638ce3cb56546f879c20e7f7019f72aa20cde1fa80e97865dfd40

Identifiers

jetty-runner.jar (shaded: javax.servlet.jsp:javax.servlet.jsp-api:2.3.1)

License:

CDDL + GPLv2 with classpath exception: http://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/javax.servlet.jsp/javax.servlet.jsp-api/pom.xml
MD5: a34c569e04ba5f74fff7dca4d8e5423f
SHA1: 91529bd82741d6b0dc7fe3cf874d4c50f3a67690
SHA256:9fde4ef559339edd514b27b973a3cceb9fb591b0a37e22fd76bf60b33a729a13

Identifiers

jetty-runner.jar (shaded: javax.servlet:javax.servlet-api:3.1.0)

License:

CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/javax.servlet/javax.servlet-api/pom.xml
MD5: 6a2986e18b635d080acc64f56f438c6c
SHA1: 330afdf2f976af1584c6a18333f4d53d264df1de
SHA256:b31109e22ea3f2df1ad7955432e718a35def50ae6c19698034afa8a0cf9e9069

Identifiers

jetty-runner.jar (shaded: org.eclipse.jetty.toolchain:jetty-schemas:3.1.M0)

File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty.toolchain/jetty-schemas/pom.xml
MD5: 95e337b6b65c475e35426b1abc92e280
SHA1: 0f87883ed660933cac15c852a9aba3fd91ca5598
SHA256:e5679dcc8bb56b94d7223368d290f49f338f1f02eccb2972bbef55b16bea6456

Identifiers

jetty-runner.jar (shaded: org.eclipse.jetty.websocket:websocket-api:9.2.9.v20150224)

File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty.websocket/websocket-api/pom.xml
MD5: 4030ac43289238dc2e983d5563850db3
SHA1: 8d5ea296bff426e4cf2e7f904f4e623a3c1da118
SHA256:6d6e5a70347722433f3998b6137278ad0752509f05808e49101ba22ae4cbe38b

Identifiers

jetty-runner.jar (shaded: org.eclipse.jetty.websocket:websocket-client:9.2.9.v20150224)

File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty.websocket/websocket-client/pom.xml
MD5: 3f57d72aba8ee11a27de55213171d1f4
SHA1: 7e3c8d84814eb57e7db6aab1cd2c9c64b7f2e1b2
SHA256:17e86c5a8c3a4a3aaed3a0566c44b4e51f105734b5343577df4321482048ba03

Identifiers

jetty-runner.jar (shaded: org.eclipse.jetty.websocket:websocket-common:9.2.9.v20150224)

File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty.websocket/websocket-common/pom.xml
MD5: 478036a6a830eaf84ae301d1ec82efae
SHA1: 9fc082ea6adeaa752100d9cb87354bb538016273
SHA256:006056fb249cde89ab7d739f2104997c617a7b30f6657ca10fa65d26dcac92f6

Identifiers

jetty-runner.jar (shaded: org.eclipse.jetty.websocket:websocket-server:9.2.9.v20150224)

File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty.websocket/websocket-server/pom.xml
MD5: 5a8d1ad2be29ae06272fc46ae72f5132
SHA1: 07b75086a59b5cf656d88a647b7eaaa431d1d042
SHA256:2296f386e535f440a8c388663dafbf913b2652fc578022b57ded44891fac352e

Identifiers

CVE-2017-7656 (OSSINDEX)  

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty.websocket:websocket-server:9.2.9.v20150224:*:*:*:*:*:*:*

CVE-2017-7657 (OSSINDEX)  

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty.websocket:websocket-server:9.2.9.v20150224:*:*:*:*:*:*:*

CVE-2017-7658 (OSSINDEX)  

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty.websocket:websocket-server:9.2.9.v20150224:*:*:*:*:*:*:*

CVE-2017-9735 (OSSINDEX)  

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty.websocket:websocket-server:9.2.9.v20150224:*:*:*:*:*:*:*

CVE-2018-12536 (OSSINDEX)  

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty.websocket:websocket-server:9.2.9.v20150224:*:*:*:*:*:*:*

CVE-2019-10241 (OSSINDEX)  

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty.websocket:websocket-server:9.2.9.v20150224:*:*:*:*:*:*:*

CVE-2019-10247 (OSSINDEX)  

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty.websocket:websocket-server:9.2.9.v20150224:*:*:*:*:*:*:*

CVE-2021-28165 (OSSINDEX)  

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty.websocket:websocket-server:9.2.9.v20150224:*:*:*:*:*:*:*

CVE-2021-28169 (OSSINDEX)  

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty.websocket:websocket-server:9.2.9.v20150224:*:*:*:*:*:*:*

CVE-2021-34428 (OSSINDEX)  

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
CVSSv3:
  • Base Score: LOW (3.5)
  • Vector: CVSS:/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty.websocket:websocket-server:9.2.9.v20150224:*:*:*:*:*:*:*

jetty-runner.jar (shaded: org.eclipse.jetty.websocket:websocket-servlet:9.2.9.v20150224)

File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty.websocket/websocket-servlet/pom.xml
MD5: a8b1e1a7382115c0af8cdf30ba95645b
SHA1: 1bf770fb4c79b1e8ccf93085a4cdfde6d31d3dfd
SHA256:bc94a505e5bf37ebadee6ba85dfdf01e3355a408f1133c8e0ca4bfbf09e3e891

Identifiers

jetty-runner.jar (shaded: org.eclipse.jetty:jetty-annotations:9.2.9.v20150224)

Description:

Annotation support for deploying servlets in jetty.

File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-annotations/pom.xml
MD5: 667b7d770753508e7e02a3d35a6b76ad
SHA1: e08057d4cd3649b81caec09f1a92292e5b21a8ec
SHA256:157b6497e5543af12eb5ff1817b7638d4432a6d764d3adb8e763b4c12f540866

Identifiers

jetty-runner.jar (shaded: org.eclipse.jetty:jetty-http:9.2.9.v20150224)

File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-http/pom.xml
MD5: 2ec1053164f601a110f451089cfa58bb
SHA1: d3d757e0e8625e8804ecdd9e6d52fbfb95c31c80
SHA256:ca466abf19e2e35a2e878b9b63faf89eaffb73bee6c97d1c7e4f60aeadd22d30

Identifiers

CVE-2017-7656 (OSSINDEX)  

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty:jetty-http:9.2.9.v20150224:*:*:*:*:*:*:*

CVE-2017-7657 (OSSINDEX)  

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty:jetty-http:9.2.9.v20150224:*:*:*:*:*:*:*

CVE-2017-7658 (OSSINDEX)  

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty:jetty-http:9.2.9.v20150224:*:*:*:*:*:*:*

CVE-2017-9735 (OSSINDEX)  

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty:jetty-http:9.2.9.v20150224:*:*:*:*:*:*:*

CVE-2018-12536 (OSSINDEX)  

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty:jetty-http:9.2.9.v20150224:*:*:*:*:*:*:*

CVE-2019-10241 (OSSINDEX)  

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty:jetty-http:9.2.9.v20150224:*:*:*:*:*:*:*

CVE-2019-10247 (OSSINDEX)  

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty:jetty-http:9.2.9.v20150224:*:*:*:*:*:*:*

CVE-2021-28169 (OSSINDEX)  

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty:jetty-http:9.2.9.v20150224:*:*:*:*:*:*:*

CVE-2021-34428 (OSSINDEX)  

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
CVSSv3:
  • Base Score: LOW (3.5)
  • Vector: CVSS:/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty:jetty-http:9.2.9.v20150224:*:*:*:*:*:*:*

jetty-runner.jar (shaded: org.eclipse.jetty:jetty-io:9.2.9.v20150224)

File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-io/pom.xml
MD5: e0b67eb63f3feaf0e4348910e812ea91
SHA1: 64d4d058329620deb1744296276dd8dd4a416bac
SHA256:eee2f9e4de5972a61879411d8d93266afa7dc8528bff5e3a0fcdc8f2ea8108fd

Identifiers

jetty-runner.jar (shaded: org.eclipse.jetty:jetty-jaas:9.2.9.v20150224)

Description:

Jetty JAAS support

File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-jaas/pom.xml
MD5: 6b8cbb4809c2b2e03616b8bc8455283c
SHA1: b72397789f0979cf0c22d09888d7a407369d35da
SHA256:cef1af6045c3bfb2491555e3fd9dc55ee9c2893e019952da64ad09605c3a3ddf

Identifiers

jetty-runner.jar (shaded: org.eclipse.jetty:jetty-jndi:9.2.9.v20150224)

Description:

JNDI spi impl for java namespace.

File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-jndi/pom.xml
MD5: 1399e2e1bbc32a197f5dfdf72dc1923a
SHA1: a86ccccc24fb40e36607ca6cfb0e644350216ee2
SHA256:bbb9c1163f9553cddd4ff456cb8b2936010768d689e1d44f34a34843d60cbfa1

Identifiers

jetty-runner.jar (shaded: org.eclipse.jetty:jetty-jsp:9.2.9.v20150224)

File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-jsp/pom.xml
MD5: 2958b5c261e4d3dda935ca34fe3599c2
SHA1: a42133eb9985659dc1ce5cb2e9b07ef389adb72b
SHA256:0064b454084f7ce3be4129ee3fd8de232e886dca8d3a80950632f3bae2cf03bb

Identifiers

jetty-runner.jar (shaded: org.eclipse.jetty:jetty-plus:9.2.9.v20150224)

Description:

Jetty JavaEE style services

File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-plus/pom.xml
MD5: e59906d83cbddfb6c79a75cbc0b79bbd
SHA1: fadef3109fca007c79147f17bf5ffbb15bbd5f3b
SHA256:99317767ee2b8bd8833323721235d6163e38f3a18c52a394f22b5c26f5f33d49

Identifiers

CVE-2017-7656 (OSSINDEX)  

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty:jetty-plus:9.2.9.v20150224:*:*:*:*:*:*:*

CVE-2017-7657 (OSSINDEX)  

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty:jetty-plus:9.2.9.v20150224:*:*:*:*:*:*:*

CVE-2017-7658 (OSSINDEX)  

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty:jetty-plus:9.2.9.v20150224:*:*:*:*:*:*:*

CVE-2017-9735 (OSSINDEX)  

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty:jetty-plus:9.2.9.v20150224:*:*:*:*:*:*:*

CVE-2018-12536 (OSSINDEX)  

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty:jetty-plus:9.2.9.v20150224:*:*:*:*:*:*:*

CVE-2019-10241 (OSSINDEX)  

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty:jetty-plus:9.2.9.v20150224:*:*:*:*:*:*:*

CVE-2019-10247 (OSSINDEX)  

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty:jetty-plus:9.2.9.v20150224:*:*:*:*:*:*:*

CVE-2021-28169 (OSSINDEX)  

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty:jetty-plus:9.2.9.v20150224:*:*:*:*:*:*:*

CVE-2021-34428 (OSSINDEX)  

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
CVSSv3:
  • Base Score: LOW (3.5)
  • Vector: CVSS:/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty:jetty-plus:9.2.9.v20150224:*:*:*:*:*:*:*

jetty-runner.jar (shaded: org.eclipse.jetty:jetty-security:9.2.9.v20150224)

Description:

Jetty security infrastructure

File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-security/pom.xml
MD5: d5b16c990e2b1295f006d33c61baf65b
SHA1: e7f6e826eceff59d70f23d787d8c45e55d8b18de
SHA256:895841806d9f0dcfb64de5d219767cd8f9dbe01b4a839ce153a80b01278ca50d

Identifiers

jetty-runner.jar (shaded: org.eclipse.jetty:jetty-server:9.2.9.v20150224)

Description:

The core jetty server artifact.

File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-server/pom.xml
MD5: e0789e8ba0e1b42ab63089574ab58741
SHA1: 61318575d3f342c87df515882ec781eb5de42ee5
SHA256:300833380d92c358c04204f949f85aaa13723ec4ff58d5daba9dcd4280878799

Identifiers

CVE-2017-7656 (OSSINDEX)  

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty:jetty-server:9.2.9.v20150224:*:*:*:*:*:*:*

CVE-2017-7657 (OSSINDEX)  

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty:jetty-server:9.2.9.v20150224:*:*:*:*:*:*:*

CVE-2017-7658 (OSSINDEX)  

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty:jetty-server:9.2.9.v20150224:*:*:*:*:*:*:*

CVE-2017-9735 (OSSINDEX)  

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty:jetty-server:9.2.9.v20150224:*:*:*:*:*:*:*

CVE-2018-12536 (OSSINDEX)  

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty:jetty-server:9.2.9.v20150224:*:*:*:*:*:*:*

CVE-2019-10241 (OSSINDEX)  

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
CVSSv3:
  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty:jetty-server:9.2.9.v20150224:*:*:*:*:*:*:*

CVE-2019-10247 (OSSINDEX)  

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty:jetty-server:9.2.9.v20150224:*:*:*:*:*:*:*

CVE-2021-28169 (OSSINDEX)  

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
CVSSv3:
  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty:jetty-server:9.2.9.v20150224:*:*:*:*:*:*:*

CVE-2021-34428 (OSSINDEX)  

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
CVSSv3:
  • Base Score: LOW (3.5)
  • Vector: CVSS:/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.eclipse.jetty:jetty-server:9.2.9.v20150224:*:*:*:*:*:*:*

jetty-runner.jar (shaded: org.eclipse.jetty:jetty-servlet:9.2.9.v20150224)

Description:

Jetty Servlet Container

File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-servlet/pom.xml
MD5: c45f63d8cd0d366f06eb6d9591019c57
SHA1: 9f27d15c3d23f140edc1c516908f74aa070ae0ee
SHA256:8dd9816436f42ca25260b8c58e608f828ef14658f650a016ab2d1171269a63e3

Identifiers

jetty-runner.jar (shaded: org.eclipse.jetty:jetty-util:9.2.9.v20150224)

Description:

Utility classes for Jetty

File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-util/pom.xml
MD5: 521aeb04e83fa456d308fca3acea7f3a
SHA1: af58c0badd08b471ddc8a49c405b523f226acf73
SHA256:6617fe358c18d1ebdb36177054b9a375f32be2db99a664ed9dfdcd276750c638

Identifiers

jetty-runner.jar (shaded: org.eclipse.jetty:jetty-webapp:9.2.9.v20150224)

Description:

Jetty web application support

File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-webapp/pom.xml
MD5: 9acc3eddcace28d6f4a4ad56152135cd
SHA1: 0d5faf195c021a7ce5c724188ac5abd962d5bc3e
SHA256:6c73618fbbc64531c929065eab98e946e5f4f5977d710f5e2b30d2035fbf064f

Identifiers

jetty-runner.jar (shaded: org.eclipse.jetty:jetty-xml:9.2.9.v20150224)

Description:

The jetty xml utilities.

File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-xml/pom.xml
MD5: 564db350302dc1d9847118a87604b0e3
SHA1: 601b5c88c2f0f119e06c7090d50fa8a119e1e804
SHA256:993ed9ed47de90ec29543f3bcba7f737ba29a29168b4841e9a71f3079a8ae8e2

Identifiers

jetty-runner.jar (shaded: org.glassfish.web:javax.servlet.jsp.jstl:1.2.2)

License:

CDDL + GPLv2 with classpath exception: http://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.glassfish.web/javax.servlet.jsp.jstl/pom.xml
MD5: 4e320b184e1225504330d128566a6613
SHA1: fcc6d28092955896adc30ed33471bffa6571b19d
SHA256:e7c1526d49d73cfb87f2bc830f0898450a9ae9825a254fc503152d475987db7a

Identifiers

jetty-runner.jar (shaded: org.glassfish.web:javax.servlet.jsp:2.3.2)

License:

CDDL + GPLv2 with classpath exception: http://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.glassfish.web/javax.servlet.jsp/pom.xml
MD5: 575dbdf961822e93a612b9424d17c6f9
SHA1: 8cd4c4a28286a08e7175b2a871476fa826d72cdd
SHA256:07607d50e282f432c098961bb0d4badfd5cf72d7b4c6560ff46d67d6d61c97ae

Identifiers

jetty-runner.jar (shaded: org.glassfish:javax.el:3.0.0)

License:

CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.glassfish/javax.el/pom.xml
MD5: 76610ceb2b04f993235e494fad98feed
SHA1: 87e2c027a9a54fc5bd2a4f7530a4e445e58328ec
SHA256:ebaf81d3793777ee28d12171b20c3ec5ce20f5d9dac252f2e6521f126ae3c2b2

Identifiers

jsr305-3.0.2.jar

Description:

JSR305 Annotations for Findbugs

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jsr305-3.0.2.jar
MD5: dd83accb899363c32b07d7a1b2e4ce40
SHA1: 25ea2e8b0c338a877313bd4672d3fe056ea78f0d
SHA256:766ad2a0783f2687962c8ad74ceecc38a28b9f72a2d085ee438b7813e928d0c7

Identifiers

jsr311-api-1.1.1.jar

License:

                CDDL License
            : http://www.opensource.org/licenses/cddl1.php
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jsr311-api-1.1.1.jar
MD5: c9803468299ec255c047a280ddec510f
SHA1: 59033da2a1afd56af1ac576750a8d0b1830d59e6
SHA256:ab1534b73b5fa055808e6598a5e73b599ccda28c3159c3c0908977809422ee4a

Identifiers

jsse.jar

File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/jsse.jar
MD5: 30a1b95d07047a5d5ed5e59e7278042c
SHA1: ae513f69de55fe94bd7bccd0e67500f9ac9565c1
SHA256:c149dc78a45ab428dab77524b3582547650cc63c6b8ad17d1be06cca9aa7d775

Identifiers

  • None

listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar

Description:

    An empty artifact that Guava depends on to signal that it is providing
    ListenableFuture -- but is also available in a second "version" that
    contains com.google.common.util.concurrent.ListenableFuture class, without
    any other Guava classes. The idea is:

    - If users want only ListenableFuture, they depend on listenablefuture-1.0.

    - If users want all of Guava, they depend on guava, which, as of Guava
    27.0, depends on
    listenablefuture-9999.0-empty-to-avoid-conflict-with-guava. The 9999.0-...
    version number is enough for some build systems (notably, Gradle) to select
    that empty artifact over the "real" listenablefuture-1.0 -- avoiding a
    conflict with the copy of ListenableFuture in guava itself. If users are
    using an older version of Guava or a build system other than Gradle, they
    may see class conflicts. If so, they can solve them by manually excluding
    the listenablefuture artifact or manually forcing their build systems to
    use 9999.0-....
  

File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
MD5: d094c22570d65e132c19cea5d352e381
SHA1: b421526c5f297295adef1c886e5246c39d4ac629
SHA256:b372a037d4230aa57fbeffdef30fd6123f9c0c2db85d0aced00c91b974f33f99

Identifiers

local_policy.jar

File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/security/policy/limited/local_policy.jar
MD5: aa0b0a8034cebe483861e48f1942b3cb
SHA1: 5dd851f6e0e60bbadc94107050c6d17e5d2d30f5
SHA256:516c2063e7aaac0afafc9c6610d91f43f14a2e7d019bd5d3ae9d532f68d6372a

Identifiers

  • None

local_policy.jar

File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/security/policy/unlimited/local_policy.jar
MD5: 197f10571bfd51cbf4a6f8355b2e387a
SHA1: c1ba54088b99e7f628081814720f24d9b836405b
SHA256:5e1233ef7de2ca4a8e1035bb0b4e9b8f7aab0242138bfd6f5abaf8c4aa999da8

Identifiers

  • None

localedata.jar

File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/ext/localedata.jar
MD5: 09fc2f233c564fd6fa03eb20a2e7959f
SHA1: 15f695b0efd4571f5d21d9eea7bc1f834ec26fa9
SHA256:7fcbdf0108c055a4347e14687cb46e89d6ba27d47960c5920c26abfa73f43442

Identifiers

  • None

logback-classic-1.0.1.jar

Description:

   
    Logback: the reliable, generic, fast and flexible logging library for Java.
  

License:

Eclipse Public License - v 1.0: http://www.eclipse.org/legal/epl-v10.html
GNU Lesser General Public License: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/logback-classic-1.0.1.jar
MD5: 4cc444391c34e0f2aa247e9b9448ef81
SHA1: c8dcc66f2be29837ef5990db5f20292253a0fbab
SHA256:8b2e3e25ad8bbee8a3e63c826ac774f9409475a4d9a9b8976345915fd5a58d84

Identifiers

CVE-2017-5929 (OSSINDEX)  

QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:ch.qos.logback:logback-classic:1.0.1:*:*:*:*:*:*:*

logback-core-1.0.1.jar

Description:

    
    Logback: the generic, reliable, fast and flexible logging library for Java.
  

License:

Eclipse Public License - v 1.0: http://www.eclipse.org/legal/epl-v10.html
GNU Lesser General Public License: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/logback-core-1.0.1.jar
MD5: 5f2eedaa5a2769aec41355849cec8d31
SHA1: 365c8cbc1322184f45c2a3fcc7f903fb471b2b06
SHA256:419bda34c62a9340015d0fcfcacde93676f8c4cbe006d891a3c9f3ea60d89e00

Identifiers

CVE-2017-5929 (OSSINDEX)  

QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.
CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:ch.qos.logback:logback-core:1.0.1:*:*:*:*:*:*:*

management-agent.jar

File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/management-agent.jar
MD5: d1e9b1d4a3c62f0742ae8d0a195b778e
SHA1: 6dff5c0f8b374ce981b9b8ed9b34d8102cc2d4d6
SHA256:14912406e5defd61b9315713824f731c49477ffa16e7a4067bb637a430cae761

Identifiers

  • None

mimepull-1.6.jar

Description:

        Provides a streaming API to access attachments parts in a MIME message.
  

License:

            Dual license consisting of the CDDL v1.1 and GPL v2
        : https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/mimepull-1.6.jar
MD5: 33a4946176551587c63a343bf663ad41
SHA1: 9a108888661e4c47edec899b796c91557ebf3a35
SHA256:00432e80ca50fafa5b6c36fd835770675549abad0e8a815ea770cb97d1ff5c25

Identifiers

nashorn.jar

File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/ext/nashorn.jar
MD5: abc97d27d6d43f4760eed163c035d312
SHA1: 4ffbc5b9f8f7d51d8b6a303c70230d274aba7520
SHA256:cfd22a6c1d89a3b2595057803f7f79933d7b89918dd2151d1d188b572a1dbb57

Identifiers

  • None

reflections-0.9.11.jar

Description:

Reflections - a Java runtime metadata analysis

License:

WTFPL: http://www.wtfpl.net/
The New BSD License: http://www.opensource.org/licenses/bsd-license.html
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/reflections-0.9.11.jar
MD5: aca303b243a6c2225685b992ceea1cb3
SHA1: 4c686033d918ec1727e329b7222fcb020152e32b
SHA256:cca88428f8a8919df885105833d45ff07bd26f985f96ee55690551216b58b4a1

Identifiers

resources.jar

File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/resources.jar
MD5: 3d6a5da6915207869ace623ea14f63d8
SHA1: abd77ffe73245f9d1eed4c0766991813a5024516
SHA256:4a9d57f650734040b8d8df137df0b088c4a6908a90cdaca090cc5e2f34b4b3f5

Identifiers

  • None

rt.jar

File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/rt.jar
MD5: 3661e69c0a67b28ef11ff47ad6319290
SHA1: eb641fa3e2ac49651e13cbee18c573c41a5f415f
SHA256:0d2b2fedfe10248461c7295ec96bd97720d42b376a7aa12508753af0a6549d16

Identifiers

  • None

servlet-api-2.5.jar

File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/servlet-api-2.5.jar
MD5: 69ca51af4e9a67a1027a7f95b52c3e8f
SHA1: 5959582d97d8b61f4d154ca9e495aafd16726e34
SHA256:c658ea360a70faeeadb66fb3c90a702e4142a0ab7768f9ae9828678e0d9ad4dc

Identifiers

slf4j-api-1.6.4.jar

Description:

The slf4j API

File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/slf4j-api-1.6.4.jar
MD5: 75e1a2a3b84c59bf9d4f42de57a533b1
SHA1: 2396d74b12b905f780ed7966738bb78438e8371a
SHA256:367b909030f714ee1176ab096b681e06348f03385e98d1bce0ed801b5452357e

Identifiers

snakeyaml-1.23.jar

Description:

YAML 1.1 parser and emitter for Java

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/snakeyaml-1.23.jar
MD5: 64ec8bd26b6d5034a87ecb1c8ce0efdc
SHA1: ec62d74fe50689c28c0ff5b35d3aebcaa8b5be68
SHA256:13009fb5ede3cf2be5a8d0f1602155aeaa0ce5ef5f9366892bd258d8d3d4d2b1

Identifiers

CVE-2017-18640 (OSSINDEX)  

The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
CVSSv3:
  • Base Score: HIGH (7.5)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a:org.yaml:snakeyaml:1.23:*:*:*:*:*:*:*

stax-api-1.0-2.jar

Description:

    StAX is a standard XML processing API that allows you to stream XML data from and to your application.
  

License:

GNU General Public Library: http://www.gnu.org/licenses/gpl.txt
COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0: http://www.sun.com/cddl/cddl.html
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/stax-api-1.0-2.jar
MD5: 7d18b63063580284c3f5734081fdc99f
SHA1: d6337b0de8b25e53e81b922352fbea9f9f57ba0b
SHA256:e8c70ebd76f982c9582a82ef82cf6ce14a7d58a4a4dca5cb7b7fc988c80089b7

Identifiers

stax-api-1.0.1.jar

Description:

StAX API is the standard java XML processing API defined by JSR-173

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/stax-api-1.0.1.jar
MD5: 7d436a53c64490bee564c576babb36b4
SHA1: 49c100caf72d658aca8e58bd74a4ba90fa2b0d70
SHA256:d1968436fc216c901fb9b82c7e878b50fd1d30091676da95b2edd3a9c0ccf92e

Identifiers

sunec.jar

File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/ext/sunec.jar
MD5: cc8f945599ae371bfb2f565ffdc3e846
SHA1: a028af7b0e74ac0b576d95d4c06e056fe5c5e5c2
SHA256:6688c4649146d050b949f4f6d61f887de60f59ae81b8fa67c55acc0a50371a7b

Identifiers

  • None

sunjce_provider.jar

File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/ext/sunjce_provider.jar
MD5: bc2bcc31dec7bdff87cb54a85a7be162
SHA1: 004362ac24543b3fff2c66dde1fad7a88079676a
SHA256:0b4f50e2b04ba80667fd399ef0155c9349c74878726955d14a82fe1ab005757f

Identifiers

  • None

sunpkcs11.jar

File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/ext/sunpkcs11.jar
MD5: 1e0a27ef4adf59d360f3370d070bbeb0
SHA1: 4a4e9c2c139bd4b1119b5fca16f2dbb4f5bd935e
SHA256:ae78f6fcc6102490f380bcbb513ef2a728b2b5444e7d3aea8089b33b70fda44e

Identifiers

  • None

swagger-annotations-1.5.24.jar

License:

http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/swagger-annotations-1.5.24.jar
MD5: 40de93c2f4b880387cd5582da8b0cd36
SHA1: 35f18d13237eb203e11fa2dd5e4d240bca7975c6
SHA256:1dd51d64cf0e51837bc00c0fa23ae08fcc156adacffac2b8852a9789838c9268

Identifiers

swagger-core-1.5.24.jar

License:

http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/swagger-core-1.5.24.jar
MD5: ff22578d6e9184a3daf7b4e3d809c111
SHA1: 77fb8d7a8bec19778d552ec5b08e3909505128c9
SHA256:b667860cef517936651b2c4494f7820c3e2eb51148b655f65b2b3b48f9db0b61

Identifiers

swagger-jaxrs-1.5.24.jar

License:

http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/swagger-jaxrs-1.5.24.jar
MD5: de8a47cd778cbab1349f31253e444d83
SHA1: 7c735ca3bdec42be0dc88fff2d063621759c0e5e
SHA256:a154002f13a1224f5e6a4595cb52f21c197eb02cdc1d78b43062bd2198ca5475

Identifiers

swagger-jersey-jaxrs-1.5.24.jar

File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/swagger-jersey-jaxrs-1.5.24.jar
MD5: af9d6ebb9bc8179ea935ebd4c462edb2
SHA1: abef4190ecbd883c43c05b6722948229c1e25d38
SHA256:756c6ae9271e5a66fd58a9044fee7b17b12568a55c649e917e2b4ebc9050c647

Identifiers

swagger-models-1.5.24.jar

License:

http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/swagger-models-1.5.24.jar
MD5: c2384d0ae3df29a612f024539e6df6a7
SHA1: a9519bdad852118927d5de65800e7ac919bef345
SHA256:9322c42ac24234619b0d895aacfe4abcd2b5808eec0b826c89b759a9ab7bc166

Identifiers

validation-api-1.1.0.Final.jar

Description:

        Bean Validation API
    

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/validation-api-1.1.0.Final.jar
MD5: 4c257f52462860b62ab3cdab45f53082
SHA1: 8613ae82954779d518631e05daa73a6a954817d5
SHA256:f39d7ba7253e35f5ac48081ec1bc28c5df9b32ac4b7db20853e5a8e76bf7b0ed

Identifiers

zipfs.jar

File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/ext/zipfs.jar
MD5: 03bf6e029ce5e39179291918f69d71da
SHA1: bfd6c508181a65c8db8ec331fde2784b8e239bfc
SHA256:125b2ab210d3e90d11c5e06b32cfa1fd1b1fe7c6768aa88f4202edaaebfd0287

Identifiers

  • None


This report contains data retrieved from the National Vulnerability Database.
This report may contain data retrieved from the NPM Public Advisories.
This report may contain data retrieved from RetireJS.
This report may contain data retrieved from the Sonatype OSS Index.